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ELECTRONIC VOTING PROCESS USING FAIR BLIND SIGNATURES 
The present invention concerns the field of cryptography and, more 
especially, the present invention relates to electronic voting. 

Unlike traditional voting, which involves voters casting their votes by 
5 physical attendance at a polling station, electronic or "on-line" voting enables 
voters to cast their respective votes remotely with the aid of a suitable machine 
(computer, mobile telephone, etc.) connected to a network such as the Internet. 

It is to be understood that in the present document, unless the context 
requires otherwise, the expressions "on-line voting" and "electronic voting" will 
10 be used interchangeably. 

In order for an on-line voting system to constitute an acceptable 
alternative to traditional voting schemes, it is generally considered necessary for 
the on-line system to respect the following principles: 

- Eligibility: only votes of legitimate voters must be taken into account; 
15 - Unreliability: each voter must only be able to cast one vote; 

- Anonymity: the ballot must be secret, in other words, it should be 
impossible to tell how a particular voter has voted; 

- Accuracy: once a ballot has been cast it should be impossible to 
alter it; 

20 - Fairness: it should only be possible to tally up the results of the vote 

after all votes have been cast (in other words, it should be impossible 
to perform partial tabulation while voting is still in progress); 

- Vote and walk-away: Once a voter has cast his vote there is no 
further action he need take; 

25 - Public verifiability: the validity of the whole voting process can be 

readily verified by anyone. 
Many studies have attempted to design secure and convenient electronic 
voting systems. Indeed, electronic voting is one of the major applications of 
cryptography. The known proposals for electronic voting schemes often make 
30 use of blind signatures. 

A digital signature scheme is a cryptographic protocol involving a user 
and a signer. The user generates a message, generally for transmission over a 
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network, such as the Internet. The signer applies a digital signature to the 
message as an indication of the validity or authenticity of the message. In 
conventional digital signature schemes the signer knows the content of the 
message to which the digital signature is being applied, an algorithm (e.g. the 
5 well-known RSA algorithm) is used to generate a digital signature which is 
difficult or impossible to forge, and the validity of the digital signature can be 
verified by any interested third party simply by applying the signer's public key. 

In a blind signature scheme, the user can obtain a digital signature on his 
message without letting the signer have information on the content of the 

10 message. Clearly this is a desirable feature in a voting application where the 
message being signed corresponds to a vote. A well-known blind signature 
scheme developed by Prof. Dr. David Chaum is described in EP-A-0 139 313. 
Blind signature schemes are often proposed for use in digital cash applications 
so as to enable an individual to purchase digital cash from a financial institution 

15 in a manner which prevents the financial institution from being able to trace the 
subsequent use of that cash. 

As indicated above, various electronic voting schemes have been 
proposed that make use of blind signatures. However, these earlier proposals 
suffer from a number of drawbacks. Some schemes do not satisfy the 

20 requirement for "vote and walk-away", instead each voter must participate in the 
vote counting procedure after all voters have cast their votes. In some 
schemes, if the 'Vote and walk-away 1 principle is respected then the "accuracy" 
principle is not. 

The preferred embodiments of the present invention provide an efficient 
25 and secure electronic voting scheme based not on ordinary blind signatures but 
on fair blind signatures. 

In an ordinary blind signature scheme, if the signer signs a number of 
documents for different users then, when he is presented with one particular 
document that he has signed, he will not be able to determine when or for 
30 whom he signed that document. By way of contrast, in a fair blind signature 
scheme (FBSS), there is an additional participant, one or more trusted 
authorities (or "judges"), and the signer can identify which signature resulted 
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from a given signing session with the help of the trusted authority (or of a 
quorum of trusted authorities if there is more than one). 

If the signer has a transcript of a particular signing session then he can 
identify the signature-message pair resulting from that session: this is termed 
5 "signature tracing". Conversely, if the signer has available a particular signature- 
message pair then he can determine the signing session at which this was 
generated: this is termed "session tracing". Although fair blind signature 
schemes enable a given digital signature to be linked to a given user, generally 
the user's message still remains private. Fair blind signature schemes have 
10 mainly been proposed in the context of the fight against organized crime, 
particularly, the prevention of money laundering. 

The preferred embodiments of the present invention provide an 
electronic voting scheme which uses a fair blind signature process to overcome 
the drawbacks of the prior art, which respects the above-mentioned principles of 
15 anonymity, eligibility, unreusability, accuracy, fairness, vote and walk-away and 
public verifiability, which is efficient and secure. 

The present invention provides an electronic voting method comprising 
the step of using a fair blind signature scheme to obtain a digital signature of a 
signal containing the voter's vote. Typically, the digital signature will be applied 
20 by a server module that can be designated an "admin server" module. 

In the preferred embodiments of the present invention the fair blind 
signature scheme is a threshold fair blind signature scheme in which the blind 
signature is generated by the cooperation of t out of n admin servers and the 
voter associated with a particular ballot (but not the way in which he has voted), 
25 can be identified by the cooperation of r out of n trusted authorities. 

Advantageously, each digital signature obtained from the set of admin 
servers is one-more unforgeable as long as n - t + 1 of the servers in said 
group are honest. 

In general, the signal that is signed by the admin server module 
30 corresponds to the voter's vote encrypted according to a first encryption 
scheme (notably, that of a tallier module used to tally up the votes cast). So, in 
this case, the electronic voting method will further comprise the step of applying 
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the decryption scheme inverse to said first encryption scheme to the data signal 
so as to retrieve the voter's vote. Preferably the tallier module is implemented 
as a mix-net. 

According to the preferred embodiments of the present invention, the 

5 data signal comprising the voter's encrypted vote is itself encrypted, according 
to a second encryption scheme (notably, that of a randomizing module) and it is 
this encrypted data signal that is transmitted to an electronic ballot box as the 
voter casting his vote. Advantageously, a batch of the encrypted data signals is 
supplied to the randomizer module for decryption and reordering (so that the 

10 voter's identity cannot be determined by consideration of the position of his vote 
in the list of cast votes). Preferably, the randomizer module is a mix-net. 

In the above-described electronic voting method according to the 
preferred embodiments of the present invention, the mix-net servers do not 
normally need to produce proofs of correctness of their operation (confirming 

15 that the outputs thereof truly do correspond to re-ordered ones of their inputs). 
Such proofs are only required in the case where a discrepancy is noticed in the 
voting process. For this reason, in the case of an honest vote (where no voter 
or mix-net server cheats), the counting of votes is extremely rapid. 

Further features and advantages of the present invention will become 

20 apparent from the following description of a preferred embodiment thereof, 
given by way of example, as illustrated by the accompanying drawings, in 
which: 

Fig.1 is a diagram indicating schematically the main participants in the 
electronic voting scheme of a preferred embodiment of the present invention; 
25 Fig.2 is a diagram illustrating schematically the main steps in the vote- 

casting phase of the preferred embodiment of the electronic voting method 
according to the present invention; 

Fig.3 is a flow diagram illustrating the main steps in the vote-counting 
phase of the preferred embodiment of the electronic voting method according to 
30 the present invention; 
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Fig.4 is a flow diagram indicating the main steps in a procedure for 
handling discrepancies noted during the counting phase, particularly in the case 
where the discrepancy is attributable to a server in a randomizing mix-net; and 

Fig.5 is a flow diagram indicating the main steps in a further procedure 
5 for handling discrepancies noted during the counting phase, particularly in the 
case where the discrepancy is attributable to a voter. 

The electronic voting method of the present invention involves 
participants of six basic types: 

- voters, 

10 - an admin server or "electoral authority" (preferably implemented using a 

set of admin servers), 

- a randomizing entity (preferably implemented as a randomizing mix- 
net), 

- a ballot-box server, 

15 - talliers (which are preferably tally servers of a tallier mix-net), and 

- a number, n, of trusted authorities (or "judges"). 

A given voter can be designated using the symbol V & and has an 
identifying code which can be designated lot/. A given voter V, can apply a 

certificate, C 0 , to data he transmits so as to indicate his entitlement to 
20 participate in a given voting process. 

Fig.1 is a diagram illustrating schematically how the various participants 

interact in one preferred embodiment of the present invention. 

As shown in Fig.1, according to the electronic voting scheme of the 

preferred embodiment of the present invention, voters, 10, make contact with an 
25 admin server module 20 in order to obtain digital signature of encrypted vote 

data, according to a fair blind signature scheme (fbss). The digitally-signed 

vote data is provided to a bulletin board server 30 when the voter casts his vote. 

This vote data is doubly-encrypted: the outer layer of encryption is according to 

an encryption scheme of a randomizer module 40, the inner layer of encryption 
30 is according to an encryption scheme of a tallier module 50. The randomizer 

module 40 decrypts the vote, leaving it in (singly-)encrypted form, and 
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randomizes the order of the votes received from different voters. The tallier 
module 50 decrypts the (singly-)encrypted, and re-ordered votes so as to 
retrieve the votes that have been cast, tallies up the votes and outputs the 
results of the vote. 

5 The admin server module (20) maintains a database, L AS , of data 

received from voters for whom it has provided digital signatures. The bulletin 

board server (30) maintains a database, L se , of data received from voters who 

have posted votes. 

At various stages in the voting process discrepancies (or "irregularities") 

10 can be detected (for example, at the bulletin board server 30, the randomizer 
module 40 or the tallier module 50). If the irregularity is determined to be 
attributable to the voter, the set of trusted authorities, 60, appointed to help 
operate the fair blind signature scheme are contacted so as to be able to 
determine the (singly-) encrypted vote data and associated digital signature 

15 data affected by the irregularity. In the case where the randomizer module 40 is 
implemented as a mix-net, it is only necessary for the mix-net servers to 
generate proofs of correctness (notably, zero-knowledge proofs of correctness) 
in the case where an irregularity is detected in the voting process. If no 
irregularities are detected in the voting process then there is no need for the 

20 mix-net servers of the randomizer module 40 to generate proofs of correctness. 
This renders the electronic voting process according to the preferred 
embodiment of the present invention fast in producing the results of the vote. 

The voting method according to the preferred embodiment of the present 
invention involves the following cryptographic primitives: a digital signature 

25 scheme (applied by the voter, 10), a threshold fair blind signature scheme 
(involving the voter, an admin server module 20 implemented using a set of 
admin servers and the set of trusted authorities 60), two mix-nets (one mix-net 
implementing the randomizing module 40, and one mix-net implementing the 
tallier module 50), and two encryption schemes (that of the randomizing mix-net 

30 40 and that of the tallier mix-net 50). 
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In the description below of the electronic voting process according to a 
preferred embodiment of the invention, the cryptographic primitives that are 
used will be referred to in general terms, without giving full details of any 
particular implementation. This is because the present invention is not limited 
5 with regard to the particular way in which these various primitives are put into 
practice. Numerous digital signature schemes, threshold fair blind signature 
schemes, mix-nets and encryption schemes are well-known in the field of 
cryptography and any secure implementation of these is suitable for use in the 
present invention. 

10 In a similar way, the present invention is applicable without limitation with 

regard to the particular hardware or software that is used to implement the 
various described functions. Suitable software routines and hardware will 
readily occur to the skilled man based on his common general knowledge in this 
field. 

15 The voting method according to one preferred embodiment of the 

present invention will now be described with reference to Figs.2 to 5. This 
voting method has three main phases: a registration phase, a voting phase, and 
a vote-counting stage. 

The registration phase involves the voter, V & , interacting with an admin 

20 server, AS, or electoral authority, in order to activate his entitlement to vote. As 

a result of this interaction, the admin server adds this voter, V 0 , to its electoral 

register of voters able to participate in future elections. The interaction between 
the voter and the admin server during the registration phase can take any 
convenient form. The voter may contact the admin server directly, for example, 

25 by electronic means, or indirectly, for example by using a telephone-based 
voice-activated response system or by mailing in a completed form to an 
electoral officer who then updates the electoral list held by the admin server. 
Advantageously, some security measures, of any convenient type, are adopted 
so as to ensure that only people who are truly entitled to vote can become 

30 recorded in the admin server's electoral register. 
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During the registration phase the voter obtains the certificate, C , that 
permits him to sign messages. This certificate can take any convenient form: 
for example, it could be an X509 certificate. The certificate, C Q is used by the 

voter during the voting phase. 
5 The voting phase of the preferred embodiment of electronic voting 

method according to the present invention will now be described with reference 
to the flow diagram of Fig.2. 

A voter, V , selects the vote of his choice, v o , and encrypts this vote 

using the encryption key of a tallier, namely an entity that will be involved in 
10 tallying the results of the voting process. Any convenient asymmetric algorithm 
(RSA, El Gamal, etc.) can be used as the encryption scheme of the tallier. 

In the preferred embodiments of the invention the tallier is implemented 
as a mix-net, TH , consisting of a sequence of servers (or "mixes"). Each 
server of the mix-net receives a batch of input messages and produces as 
15 output the batch in a permuted order. The tallier mix-net can be of various 
types, for example, a Chaumian mix-net (that is, a mix-net in which the 
messages are successively encrypted with each server's key), a re-encryption 
mix-net (where there is a single key for all servers in the mix-net, but 
randomized re-encryption in each server) etc. Preferably the tallier mix-net is a 
20 simple mix-net but it is robust (that is, if one tallier server is unavailable, it is 
possible to replace it by another one). 

The process whereby the voter encrypts his vote using the encryption 
key of the tallier mix-net, TM, can be represented, as follows: 

25 where x t is the encrypted vote and E m represents the application of the 
encryption scheme of the tallier mix-net, TM. 

The voter, V^, then blinds the encrypted vote, x it as follows: 

ei = FB(xi,n) 
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where T& represents the application of the blinding procedure, and #7 is a 
randomly chosen blinding factor. 

The voter, V , signs the blinded and encrypted vote, <?,•, as a gauge of its 

authenticity, using his digital signature scheme, 5^. That is, the voter generates 
5 *t**S 0 (*i) 

The voter, V^, then sends the data (IoU , C , e u to the admin server, 

AS. 

The admin server, AS, checks that the signature, Si , is valid, and that it 
comes from a voter who is listed in its electoral register (this check being 
10 performed by verifying the validity of the certificate C^. The admin server also 

checks that this voter has not already voted. The latter check involves 
determining whether or not the admin server, AS, has already generated a 

digital signature for this voter, V , in the current election. 

If these checks yield a satisfactory result then the admin server, AS, 

15 signs the blinded and encrypted vote, e i9 as a gauge of its authenticity, using its 

digital signature scheme, S^ . That is, the admin server generates: 

The admin server transmits d t back to the voter, V . 

The admin server, AS, keeps a record of the data (Id^ , C y , e u si) 

20 received from all of the voters for whom it emits digital signatures during the 
voting process. At the end of the voting phase, the admin server, AS, 
announces the number of voters for whom it has signed votes, and publishes a 
list - (Id/ 0 , C 0 , e u si) including the data received for all of these voters. 

When the voter, V^, receives back d if that is his blinded ballot signed by 

25 the admin server, he retrieves a digitally-signed version (yi) of his ballot (xi) by 
unblinding d it as follows: 
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yi = UFB (di) 

where UfB represents the application of the unblinding procedure. 

The voter, V, , then uses the encryption key, E. ., of a randomizing entity 

to encrypt data fa , yi) corresponding to his encrypted vote and the version of 
5 his encrypted vote that is signed by the admin server, AS, as follows: 

Advantageously, this randomizing entity is a mix-net, M, which, once again, 
preferably is a simple but robust mix-net that can be implemented as a 
Chaumian mix-net, a randomizing mix-net, etc. 
10 The voter then signs this encrypted data using his signature function, S 0 

to generate a signed message at where: 

at = S 0 (ci) 

The voter then completes his vote by sending data (Id/ , C y , e u at) to an 
electronic ballot box, SB. This electronic ballot box is conveniently presented as 
15 a bulletin board and implemented as a web server (or the like). The bulletin 
board verifies the validity of the signature o* and, if it is valid, records the data 
(IcU, C 0 , e it oi) supplied in this transmission. Preferably, this data is recorded 

by the web server (or the like) in a form that is resistant to later modification (for 
example in a read-only-memory). 
20 When the voting process has ended (i.e. after the polls have closed), the 

bulletin board, SB, publishes a list = (Irik , e u at) of all data that has 

been posted during the voting phase in transmissions with valid voter 

signatures. This list is compared by the admin server with the list of data 

DO 

L it generated in relation to all digital signatures it has provided during the 
25 voting phase. If there is an entry (IdU , C 0 , e u s,) in for which there is no 
corresponding entry (Id^ , C 0 , e i% 07) in JL BB this means that a voter has 
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obtained a blind digital-signature on his encrypted vote but did not cast the vote. 
Steps are then taken to process e t so that the corresponding message-signature 
pair (x it y t ) can be determined. In particular, the trusted authorities (or judges) 
are contacted for help in processing e t . 
5 According to the preferred embodiment of the invention, if there are n 

trusted authorities, it is not necessary for the full set, J, of these trusted 
authorities to cooperate in processing e t . Cooperation of a sub-set of the 
trusted authorities (i.e. a number t, where t < n) is sufficient. In this way, the 
scheme is workable even if one, or a small number of, the trusted authorities J 
10 cannot be reached at a given time, or refuses to cooperate. This sub-set of the 
trusted authorities applies the signature tracing algorithm, KEV^., of the fair blind 
signature scheme that is being used in the voting process, as follows: 

/* = *£*/.(*,) 

it will be recalled that e t is the blinded version of voter V?s encrypted vote x t . 

15 Depending upon the particular fair bind signature scheme that is applied, 

the retrieved data, f u can be the message-signature pair (x h y t ) itself. In the 
following description it will be assumed that the retrieved data f t is the 
message-signature pair (x it y f ). The retrieved message-signature pair data is 
recorded in a list, KL, which can be termed a "revocation list" which, preferably, 

20 is available for public inspection later on. It should be noted that the retrieved 
data does not reveal the voter's vote, only an encrypted version thereof. Thus, 
the voter's privacy is respected. 

The counting phase of the electronic voting process according to the 
preferred embodiment of the present invention will now be described with 

25 reference to the flow charts of Figs.3 to 5. 

As indicated in Step 1 of Fig.3, the list of c, values recorded by the 
bulletin board server is supplied to the randomizer module, M, which applies its 
decryption scheme, t> H , in order to retrieve signature-message pairs (x it yi). It 
will be recalled that, in the preferred embodiments of the present invention the 
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randomizer module is implemented as a mix-net. This mix-net outputs a list, L, 
of the values (x it yd in a random order, different from the order of receipt of the 
corresponding values, c;. The list, L is then supplied to the taliier module, TM, 
which is also implemented as a mix-net in the preferred embodiment of the 
5 invention. 

As indicated in Step 2 of Fig.3, the taliier mix-net checks the list L for any 
duplicate entries. This check can be made by the taliier mix-net itself of by 
another module which cooperates with the taliier mix-net. If any duplicate 
entries are found this is a discrepancy which represents an irregularity in the 
10 voting procedure. A discrepancy-tracing procedure is then invoked, which will 
be discussed below in connection with Fig.4. Otherwise, if there are no 
duplicate entries in the list, L the taliier mix-net proceeds to Step 3 of Fig.3, 
where it checks the validity of the digital signatures y t of the entries in list L If 
any of the digital signatures, y t , are invalid then, once again, the discrepancy- 
15 tracing procedure of fig.4 is invoked. 

In the case where the taliier determines that all of the digital signatures, 
y t , are valid, it next performs a comparison of the entries (x f , y t ) in L with the 
entries (jc,-, y t ) in the revocation list, fit (see Step 4 of Fig.3). If there is overlap 
between the two sets of entries, in other words if L n RL is not the empty set, 
20 then the discrepancy-tracing procedure of Fig.4 is invoked. Otherwise, the 
servers, 7M> of the taliier mix-net reveal their private keys so that the signals, 
Xi , can be decrypted (using SK^- Accordingly, the votes, v f , are revealed, the 
taliier module tallies them up then publishes the result of the election (see Step 
6 of Fig.3). The counting stage then ends. 
25 As indicated above, in the case where the checks performed by the taliier 

module in steps 2, 3 or 4 reveal a discrepancy, the origin of the discrepancy is 
sought using the discrepancy-tracing of Fig.4. 

According to the discrepancy-tracing procedure of Fig.4, it is first 
checked whether the discrepancy arises with the servers of the randomizer mix- 
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net, M. This check is performed by prompting each of the mix-servers, M., to 
generate a zero-knowledge proof of correctness to demonstrate the 
correspondence between their output and input, using the queried data pair 
fo. yt)q as input and applying the mix-net's back-tracing algorithm. Incidentally, 
5 if the discrepancy-tracing procedure is being invoked because the tallier found 
one or more duplicate entries in the list, L, then the queried data pairs (*,-, yi ) q 
will be the duplicated entries. If the discrepancy-tracing procedure is being 
invoked because the tallier found one or more invalid digital signatures, y it then 
the queried data pairs (*,-, y t ) q will be the data pairs containing these invalid 

10 digital signatures. If the discrepancy-tracing procedure is being invoked 
because the tallier found overlap between L and HL, then the queried data 
pairs (xi,yi) q will be the data pairs affected by. the overlap. 

If all of the mix-net servers can generate satisfactory proofs of knowledge 
then the discrepancy arises, not with a mix-net server, My but with the voter. 

15 Accordingly a different part of the discrepancy-tracing protocol (which presumes 
a cheating voter) is invoked, as will be discussed below with reference to Fig.5. 

If one of the mix-net servers cannot generate a satisfactory proof of 
knowledge, the discrepancy-tracing procedure of Fig.4 continues, based on the 
presumption that the mix server which could not produce a satisfactory proof of 

20 knowledge is a cheating mix-server. This mix server is disqualified. The other 
mix servers in this mix-net, M, must now reveal their private keys, yielding SK^. 
The c t data recorded by the bulletin board server is now decrypted using SK^ 
and a new version of the list, L, is generated containing all of the decrypted 
data-pairs (x,-,^). This list, L, is sent to the tallier, TM. 

25 in this case the tallier mix-net, TM, permutes the order of the entries (x it 

yd as well as decrypting the vote data. Moreover, in this case the servers, TM^, 
of the tallier mix-net are prompted to generate respective proofs that they 
correctly mix and decrypt their inputs. This increases the duration of the vote 
counting phase, and increases costs. However, it is to be noted that the 
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generation of these proofs is not required in the case of an election without 
irregularities. Once the vote data has been decrypted, it is counted and the 
tallier publishes the result of the election. This ends the counting phase. 

Incidentally, if the randomizing module 40 served only to decrypt the 
signature-message pairs, and not to randomize their order, there would be a 
potential problem in the case where the servers of module 40 were obliged to 
reveal their keys (because of detection of an irregularity arising from operation 
of module 40). In such a case, when the keys were revealed there would be a 
direct correspondence between the first entry in the list, L input to the module 
40 and the first entry in the list of signature-message pairs output by the module 
40. In view of the fact that the list input to the module 40 includes codes 
identifying the respective voters, this would prejudice the anonymity of the 
voting process. 

On the other hand, if the discrepancy-tracing procedure of Fig.5 has 
been invoked (in a case where it is presumed that the discrepancy arises from 
voter action, not action of servers in the randomizing mix-net), the normal 
operation of the tallier mix-net, TM, can be preserved, providing that the 
irregular vote data has been eliminated from the data to be processed. 

More particularly, as indicated in Fig.5, in the case of an irregularity 
attributable to a voter, the identity of the misbehaving voter can be revealed by 
implementing the back-tracing algorithm of the randomizing mix-net, M, using 
the queried data pair fo, y t ) 9 . This will yield the identifier, I^.of the voter who 

sent the data c,y, dj to the bulletin board server, BB. 

Once the misbehaving voter's identifier has been revealed, the signature- 
tracing mechanism of the fair blind signature scheme is applied so as to identify 
the data-pair (*,>•, yy) corresponding to Ity, This data pair (x iJt yiJ ) is added to 
the revocation list, KL, but removed from the list, L, of votes to be counted. The 

procedure can then return to Step 3 of Fig.3. 

It will be seen that, when there are no voting irregularities, the various 
mix servers do not need to generate proofs of the correctness of their operation. 
This leads to an extremely fast counting of the votes. Moreover, because 
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misbehaving mix servers will always be detected in this system, it is unlikely 
that they will misbehave. Accordingly, the electronic voting scheme of the 
present invention is liable to yield the result of an election very rapidly. 

Considering the security of the electronic voting scheme of the present 
5 invention, the following remarks can be made. 

Provided that the digital signature scheme that is selected for use in the 
electronic voting scheme of the present invention is not capable of being 
broken, then the principles of eligibility and unreusability are respected in this 
scheme. 

10 If at least one mix server is honest, and n-t+1 of the trusted authorities 

are honest, then the anonymity of the voters is protected. 

Advantageously, the preferred embodiments of the invention will be 
implemented using a digital signature scheme in which the signatures are one- 
more unforgeable as long as w-f+1 admin servers are honest. In such a case, a 

15 valid data pair fo, j,) cannot be created. Thus the principle of accuracy is 
respected. 

The talliers cannot decrypt the ballots during the progress of the counting 
phase because the tallier module is implemented as a mix-net. Therefore the 
principle of fairness is respected. 
20 The voters do not need to take any special action to enable their votes to 

be opened, or to verify that their votes have been counted. Accordingly, the 
principle of "vote and go" is respected. 

In the preferred embodiments of the invention, the lists L^, L B3 , L and 

RL are made public at the end of execution of the overall protocol. Moreover, 
25 every step of the counting stage (including the back-tracing procedures) can be 

published. This enables any interested party to check that the only ballots 

which have been discarded are those which truly were invalid, and to verify that 

the outcome of the election is consistent with the valid cast ballots. Thus, the 

principle of public verifiability is respected. 
30 In the above-described process, it is preferred that the fair blind signature 

scheme should be a threshold fair blind signature scheme. Such schemes are 

well-known and so will not be described in detail here. 
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Although the present invention has been described in terms of a 
particular preferred embodiment thereof, the person skilled in the art will readily 
understand that various features of the preferred embodiment may be varied, 
adapted and/or replaced by others without departing from the present invention 
5 as defined in the accompanying claims. 

For example, although the preferred embodiment has been described in 
terms of on-line voting, typically by users in their homes, it is to be understood 
that the physical location of the voters is unimportant — in some circumstances it 
is possible to envisage use of the present invention at a traditional polling 
10 station (which could, for example, be unstaffed). 

Similarly, the present invention is not particularly limited with regard to 
the mechanism used for communicating the various signals between the 
participants in the system. Typically telecommunications networks and the 
internet will be used for communications between the users, the mix servers of 
15 the first mix net and the admin server. However, other networks can be used. 
In some circumstances it may be feasible for certain of the signals exchanged 
between the participants in the system to be recorded on a recording medium 
and physically transported between those participants. 

It will be understood that the on-line voting techniques of the present 
20 invention can be applied in any kind of vote, whether it be an election, a 
referendum, an opinion poll, etc. 
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CLAIMS: 

1. An electronic voting method comprising the step of using a fair blind 
signature scheme to obtain a digital signature (y t ) of a data signal fa) 

5 comprising a voter's vote (yt). 

2. The electronic voting method of claim 1 , wherein the fair blind signature 
scheme is a threshold fair blind signature scheme in which the digital signature 
is obtained from a sub-set of a group of servers, the group of servers containing 

10 n servers and the sub-set containing t servers, where t < n. 

3. The electronic voting method of claim 2, wherein each digital signature 
obtained from said set of servers is one-more unforgeable as long as n — * + 1 
of the servers in said group are honest. 

15 

4. The electronic voting method of claim 1 , 2 or 3, wherein the data signal 
(x t ) corresponds to the voter's vote (v f ) encrypted according to a first encryption 
scheme (^ m ), and the method further comprises the step of applying the 
decryption scheme (t? m ) inverse to said first encryption scheme to said data 

20 signal (x,) whereby to retrieve the voter's vote (v,). 

5. The electronic voting method of claim 4, wherein said first encryption 
scheme is the encryption scheme of a first mix-net ( 7%. 

25 6. The electronic voting method of claim 4 or 5, and comprising the steps 
of: 

receiving, in a first order, a batch of encrypted data signals, each 
encrypted data signal (c f ) comprising data encrypted according to a second 
encryption scheme (& ) said data including a respective data signal fa); 
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retrieving each data signal (*,-) from the respective encrypted data signal 
(c,- ) in said batch by applying a decryption scheme (Cy. inverse to said second 

encryption scheme (e J; and 

outputting the retrieved data signals (x t ) for said batch in a different order 
from said first order. 

7. The electronic voting method of claim 6, wherein said second encryption 
scheme is the encryption scheme of a second mix-net (Aij. 

8. The electronic voting method of claim 7, and comprising the step of 
detecting irregularities in the voting process, wherein the mix-net servers of said 
second mix-net do not need to generate proofs of correctness unless this 
irregularity-detecting step detects the occurrence of an irregularity. 

9. The electronic voting method of claim 8, wherein the step of detecting 
irregularities comprises verifying that the ballots to be counted do not contain 
duplicated data-pairs, wherein a data-pair corresponds to one of said data 
signals and the digital signature thereof. 

10. The electronic voting method of claim 8, wherein the step of detecting 
irregularities comprises checking the validity of the digital signatures in the 
ballots to be counted. 

1 1 . The electronic voting method of claim 8, wherein the step of detecting 
irregularities comprises checking that there is no overlap between the ballots to 
be counted and entries in a revocation list 

12. The electronic voting method of any one of claims 8 to 11, and 
comprising the step of determining whether or not the irregularity is attributable 
to a server of the second mix-net. 
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13. An electronic voting method according to any previous claim and 
comprising the steps of: 

receiving said data signal (r f ) for digital signature according to said fair 

blind signature scheme at a server module (as), said data signal (x f ) comprising 

5 a vote (v f ) selected by a voter (v,), said vote (v,) being encrypted according to 

said first encryption scheme (e™), blinded according to said fair blind signature 

scheme and digitally signed according to a digital signature scheme of said 
voter; 

verifying, by said server module (as), that the digital signature (s f ) in the 
10 received signal is valid; 

in the case where the verifying step confirms that the digital signature in 
the signal received by said server module (as) is valid, said server module (as) 
digitally signs the blinded encrypted vote (e t ) and outputs the digitally-signed 
message (s M («j)); 

15 unblinding the digitally-signed message (s AS («,)) to yield said digital 

signature (y t ) of the data signal (*,); 

encrypting said data signal fo) and said digital signature (y*) thereof 
according to said second encryption scheme (e m ) to produce encrypted data 
signal (c t ); and 

20 signing said encrypted data signal according to a signature scheme of 

the voter (V). 
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ELECTRONIC VOTING PROCESS USING FAIR BLIND SIGNATURES 
Abstract 

In an electronic voting process, a voter (V^ encrypts his vote (v f ) 
5 according to the encryption scheme (E^) of a tallier mix-net (50) used to tally 
up the votes cast. The voter (Vj obtains on his encrypted vote, (*,), from an 
admin server module (20), a digital signature according to a fair blind signature 
scheme (fBSS). The encrypted vote fo) is encrypted a second time, together 
with the unblinded digital signature (y.) thereof by the admin server, using the 
10 encryption scheme (E^ of a randomizing mix-net (40), to yield an output (a), 
and the voter uses his own signature scheme (S,) to sign this, giving (oi). The 
voter sends an ID code and data including (c t ,od to a bulletin board server (30). 
Discrepancies in this vote data can be detected and their origin traced by 
prompting the randomizing mix-net servers (40) to provide proofs of 
15 correctness, and using the signature-tracing mechanism of FBSS. 
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COUNTING PHASE 



Step 1 



Randomizer, m, decrypts list 
of a to yield foj,) and 
changes order of list 



Step 2 



Tallier, tm, checks re- 
ordered list of (xim) : 
any duplicate entries? 
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Tallier, tm, checks digital 
signatures 
any invalid ? 
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in Fig.4 



NO 



Step 4 



Tallier, tm, compares 
list, L, of (xfj>/) with 
revocation list rl, 
any overlap ? 
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DISCREPANCY-TRACING: 
CHEATING MIX-SERVER, My 
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DISCREPANCY-TRACING: 
CHEATING VOTER 
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